[Openswan Users] GRE over IPSec - Cisco endpoint

Erich Titl erich.titl at think.ch
Fri Dec 18 10:41:06 EST 2009


Tom Stockton wrote:
> Hi,
> I'm trying to connect to a third party's Cisco using Openswan, they
> are running a configuration very similar to that described here ..
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
> The third party are running the 'hub' and I'm trying to connect as one
> of the remote sites.  The third party network engineer has advised me
> that other customers have previously tried and failed to connect using
> freeswan/openswan, however I'm determined to give it a go.
> I can't get past phase 2 at the moment, but apparently this is because
> phase 2 runs over GRE (I don't understand how this would work, but
> this is how I'm told the cisco implementation operates).
> Third party endpoint:
> Third party subnet:,
> Our endpoint:
> Our subnet:
> The relevant bits from the IOS config that would work are:
> crypto isakmp policy 10
>  authentication pre-share
> crypto isakmp key <password> address
> !
> !
> crypto ipsec transform-set ThirdParty_transform esp-3des esp-md5-hmac
> !
> crypto map ThirdParty_IPSec 10 ipsec-isakmp
>  set peer
>  set transform-set ThirdParty_transform
>  set pfs group2
>  match address ThirdParty_encrypt
> !
> interface Tunnel0
>  description - IPSec encryted GRE to ThirdParty -
>  ip unnumbered FastEthernet4
>  tunnel source FastEthernet4
>  tunnel destination
>  crypto map ThirdParty_IPSec
> !
> ip route Tunnel0
> ip route Tunnel0
> !
> ip access-list extended ThirdParty_encrypt
>  permit gre host host
> My ipsec.conf (not working) currently looks like this ..
> conn ThirdParty
>         type=tunnel
>         authby=secret
>         left=
>         leftsubnet=
>         right=
>         rightsubnets=,
>         esp=3des-md5-96
>         keyexchange=ike
>         pfs=yes
>         auto=start
> I haven't attempted to do any GRE yet but I don't understand how I
> would do it as part of the IPSec connection.  I can understand making
> a GRE connection after the IPSec tunnel was setup but in this case the
> IPSec and GRE endpoints are the same IP addresses so I don't
> understand how I could route the GRE connection through the IPSec
> tunnel without breaking IPSec ?

AFAIK a GRE endpoint is just another logical endpoint in your network.
It can have any address you want to give it, completely apart from the
IPSEC tunnel transporting the GRE tunnel.

Of course you will have to establish first an IPSEC connection to carry
the GRE tunnel packets.
Then you need to consider your MSS/MTU size, as every tunnel instance
will need a few bytes.
Also think about recovery of the various tunnels.
Finally you will have to consider your routing, but once you are there,
that is icing on the cake.

( I have not tried this myself )

> I could buy a cisco device (we already have one for another connection
> to the same third party in a different colo) but that would be no fun.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3409 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20091218/3dda95ed/attachment.bin 

More information about the Users mailing list